I'd like to know if it's possible to prevent cheating in the following case

I have a Ruby on Rails app and a Active Record database

I have Users (model User), that play Games(model Game) and there are Prizes (model Prize).

What I want is to :

1- prevent a player from cheating/hacking on the winnings (prizes he has won)

2- prevent a player from cheating on the nb of shots he has

As a user can win multiple prizes and prizes can belong to multiple users, I have a many_to_many relations: i use for this a table/model Winnings that lists all stuff won in the games by each User (a user has many winnings and a prize has many winnings)

Players have a certain number of shots, let's say 3 per user.

For 1-, basically, i guess everytime a user wins a prize in a Game, i'll send the server a url like:
mygame/com/?winning_id=1234;game_id=3;user_id=6;prize_id=4, telling the server the user with id 6 has won a prize with id4 in the game with id 6

I don't want players to be able to cheat that. how can I do this. Can any player just use that url above and send this way a message/action to my server (post) telling him he won? that would make it freaking easy to cheat?

Should I encrypt stuff/the url and make the url/message only understandable by my server?

For 2- (shots), I think I should send actions to server side every time and calculate scores at server side but still can't he cheat the same way as 1-?

2 Answers
2

In addition to using post as mentioned in the answer from palainum above, if needed, you could add a string (instead of an ID) in any place in your game where the URL could be edited and is visible.

Background - I had a similar problem in one of my apps (where if a URL was changed people could deduce / edit the number and cheat). The way I overcame it was to generate a unique code for the item in the URL.

To do this, I would add a string attribute to Winning model called url_code, make it required and indexable: